Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search

Italian call center companies leave all audio recordings online

Redazione RHC : 9 September 2025 09:37

Italian companies that use online telephony platforms (VoIP) based on open-source software such as Asterisk and Vicidial rely on these systems to contact Italian citizens on a daily basis, offering various products and services for sale.

Paragon Sec, during an underground search, identified numerous call centers of Italian companies active in various sectors, from the promotion of photovoltaic panels to the supply of water, electricity, and gas, to wellness products.

What we have What has been discovered, however, is alarming: a leak of private audio recordings between operators and customers, made publicly accessible on the web without any protection.

Why it’s a security and privacy issue

Call center audio recordings aren’t simple technical files; they contain the voices, personal details, and daily information of Italian citizens. If this content ends up online unprotected, the risks become real and immediate.

  • Phishing and telephone scams: Anyone listening to these audios can use phone numbers and personal details to pretend to be an operator, deceive people, and obtain further sensitive information.
  • Identity theft: Personal data, when combined with other public information, can be exploited to open contracts, apply for loans, or make purchases in the victims’ names.
  • Phishing and social engineering: from Recordings reveal customer habits, preferences, and needs, providing valuable information for targeted attacks that are difficult to detect as fake.
  • Violation of dignity and trust: Listening in on conversations that should have remained private undermines the relationship between citizens and companies, generating a climate of widespread mistrust.

Furthermore, voice is a biometric data. This opens up disturbing scenarios: telephone banking scams, false orders given to virtual assistants, and even manipulation in work or family contexts.

Violation of privacy regulations

The GDPR (EU Regulation 2016/679) and the Italian Privacy Code (Legislative Decree 196/2003) impose specific obligations:

  • Explicit and informed consent before recording Conversations.
  • Right to access, correct, or delete personal data.
  • Data retention only for as long as strictly necessary.

Displaying these files online, without authentication, encryption, or access controls, constitutes a direct violation of the law and may result in significant penalties.

If unprotected, these recordings can be exploited for fraud, phishing, and social engineering, with immediate risks for customers and operators.

How the recordings were found

The recordings were not stored in confidential archives or on the dark web: they were simply Available online, accessible to anyone who knew where to look.

Our team of analysts used a third-party platform, which has a search engine that indexes devices and servers exposed to the Internet. Through targeted queries, it was possible to identify Italian call center servers using platforms such as Asterisk or Vicidial.

These systems, if poorly configured, expose folders containing .wav or .mp3 files of conversations between operators and customers. Some servers also displayed web directories that could be browsed without authentication, a basic security flaw that made the records accessible to anyone.

Many of these systems, based on Asterisk and Vicidial, were configured without authentication or encryption, making private records publicly accessible.

Impacts for Italian companies

The companies involved risk:

  • Heavy fines by the Privacy Guarantor.
  • Loss of trust on the part of customers.
  • Reputational damage that’s difficult to recover from.

Audio recordings expose not only companies, but above all the Italian citizens who receive calls from call centers every day. The leaked conversations contain information that can have direct and concrete consequences.

In a context where data protection is crucial for the protection of personal data.

Conclusions

The case of the audio recordings of Italian call centers found online is not a simple technical incident; it is proof of how incorrect configurations and a lack of basic controls can turn into a concrete threat for companies and citizens.

For companies, this means exposing themselves to Fines, loss of trust, and reputational damage that are difficult to recover from. For citizens, however, the risk is direct: telephone fraud, identity theft, targeted phishing, and even the use of one’s voice as biometric data to create digital fakes.

Paragon Security, when contacted, makes the information acquired available to the relevant call center companies.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli